Advanced Search

Hello forum. First post here.
It has been suggested to me to ask my question here, in these forums, regarding my hardware.

My main question is:
Is the chip EastSoft HW2181 compatible in any capacity with the software provided here?

More in depth:
My toy RC quadcopter is from Lidl: PowerRC Quadrocopter

What I have tried so far:
I have a RC radio FlySky fs i6x
Purchased the iRangeX iRX6 Multiprotocol TX Module for Flysky FS-i6 i6x TransmitteriRangeX in hopes that it will work with the toy quadcopter.
Unfortunately none of the protocols of the module bind to the quadcopter.
Two of protocol selections did not produce any led flashing on the module, however I am not sure if it is working as intended, faulty firmware, and/or unrelated to this forum at all.
The full list of models/protocols of the iRangeX module is available in PDF from here .

The toy has three fly speeds, slow-normal-aggressive. It is able to do flips. LED lights are toggle-able. The remote control has a similar EastSoft chip - HW2171
Personal Speculations:
Eva2king Drone X5c appears to have the same chip on the board. The quadcopter shell has a very similar look to SYMA and obviously the model X5C.
elmsem website also has this SYMA drone claiming they use HW2181+HW2171 chips
Michael Melchior's BLOG describes reverse engineering a quadcopter drone from LIDL, however it appears to be different to mine.


Ideally I wanted to use my existing FlySky fs-i6x controller and the iRangeX iRX6 module to control the quadcopter to have "more resolution on the sticks" when flying it.
Reading up on Deviation's wiki and tutorials I understand that this forum is more dedicated to Walkera Devo® series RC Transmitters.
Neither the drone model, nor the chip appears to be on Supported Models and/or Supported Protocols.
The least I could do is show compatibility interest for my model/chip.

Any help is very much appreciated.


Visual references:






PS. You can see for yourself that my cat is not very thrilled with that is about to follow

I have tried this program on Ubuntu Linux and find the video playback freezes up completely after about 50 seconds +-. And it always does that. The recording did not work for Linux at all, I had to change the code and recompile to get recording to work on Linux. What can I do to get it to play the video contstantly, I am not sure why it is always freezing up like that. I must kill ffplay completely and restart drone_protocol.jar to get the video playback to play at all and then it freezes again.

I've to update the manual, meanwhile there's a compatibility list here:
bit.ly/deviation_models

I suppose some newer CX-33 are using the Q303 protocol instead of CX-10 "green", Cheerson often change protocols for a same machine.

Ich habe da mal eine Frage:

Wie oft wird eigentlich die Liste aktualisiert??

Ich habe gesehen, das einige Protokolle in der Liste garnicht geführt werden.
Ebenso sind einige Modelle mit den Protokollen die in der Liste stehen nicht zu betreiben.

Ich habe hier den Cheerson CX-33 der laut Liste mit CX-10 fliegen soll. Mein Cheerson CX-33 fliegt aber mit Q303 welches in der Liste fehlt. Ebenso fehlt PXX und NCC1701.

Nur mal so gefragt.


I've got a question:

How often is the list actually updated?

I have seen that some protocols are not listed in the list.
Similarly, some models with the protocols in the list are not to operate.

I have here the Cheerson CX-33 which is to fly according to list with CX-10. My Cheerson CX-33 flies but with Q303 which is missing in the list. Also missing is PXX and NCC1701.

Just asked.

Solved!! Some of the CX-10W's use the Q303 Protocol (CX10WD) Also, you must not be bound with the wifi or it wont bind. Hope this Helps, Good Luck!

Yeah, you are right, the protocol is correct, I just realized that I calculated the last two channel wrong. My program reads bytes in reverse order:)

ccees123 wrote: Hi horbish. Really appreciate your help! However, I think there are something wrong with the protocol.

When I was listening at 2.402G, I got the the CID 0x12345bbb

You do not have permissions to access this page.

From the potocol: github.com/DeviationTX/deviation/blob/ma...doc/CX10Blue.txt#L63
I got the frequency hopping channels: 2.414, 2.433, 2.450 and 2.475.

Then I restarted devices and listened at 2.141, things looks fine and signals including both binding and flying phases

You do not have permissions to access this page.

You do not have permissions to access this page.

Then I did same thing again and listened at 2.433, I got the similar result as at 2.414.

You do not have permissions to access this page.

You do not have permissions to access this page.

And when I was listening at 2.45 and 2.475, no signal data was detected.

This hopping behavior doesn't make sense. Because if controller finished binding signal and started flying phase at 4.141. Then it should transmit command at 2.433 instead of similar binding and flying packet.

After controller and quad bind together, I tried to simply record and replay signals at 2.43, 2.45 and 2.475 which of course didn't fly the quad. So I'm wondering if the protocol of cx-10A has been changed.

I don't think the protocol has changed, maybe the stock controller sends of few binding packets on data channels at the end of the bind sequence. (I don't have a working stock transmitter anymore)
Try to replay only on 2414 MHz.
Scan the ISM band to search for the used channels.
... or just get a logic analyzer ($5), connect it to the SPI bus in the TX, then you'll be sure

The CX10-A (blue PCB) doesn't use a nrf24l01 but a xn297 transceiver.

I don't want to do your homework, but here's what you can do if you really have to use a HackRF:
(I suppose you can't just use a logic analyzer connected to the stock controller as that would be too easy and considered cheating )

Use gnuradio to grab and demodulate the GFSK signal during bind (2402 MHz with transmitter powered on and quad powered off):
www.dropbox.com/s/sk28appcfpwtkap/xn297_gfsk_demod.grc?dl=1

(You'll have to replace the output filename in the file sink block and might have to tweak the freq fine slider until you see some activity in the "Data" scope sink dialog.)

Then use the demodulated output (0 & 1s & preamble markers) to decode and unscramble the xn297 packets, here's a C/Qt program to do that:
gist.github.com/goebish/d08d9a7458cc34eafe5cc6f64bf34ceb
(that's quick and dirty, crc is not checked ...)

You should end up with something like this (that's not a cx-10a in the video):

Then just look at the packets to retrieve the TXID, e.g in this picture the TXID is D7 23 63 27 :

(decoded from an actual CX10-A transmitter)

From that you can extrapolate the frequency hopping channels for your replay attack:

rf_channel[0] = 0x03 + (0xd7 & 0x0f) = 0x0a = 2410 MHz
rf_channel[1] = 0x16 + (0xd7 >> 4) = 0x23 = 2435 MHz
rf_channel[2] = 0x2d + (0x23 & 0x0f) = 0x30 = 2448 MHz
rf_channel[3] = 0x40 + (0x23 >> 4) = 0x42 = 2466 MHz

I'm not 100% sure but I believe that someone who reverse engineered the RX side told that only rf_channel[0] is used by the RX actually, that should be pretty easy to attack, just spam your packet(s) on this channel

... but I agree that for retrieving TXID it would be simpler to use an arduino with a nrf24l01 emulating a xn297 in rx mode, or just connect a logic analyzer to the stock controller (SPI) if you're allowed to.

You'll need a logic analyzer, preferably one with an SPI decoder. Salae is popular. See this thread .

nRF24L01 is the radio chip in the CX-10. SPI is the hardware interface between it and the microprocessor.

Thank you so much for the answer. I do have physical access to devices. But what is nRF24L01 SPI interface? Is it hardware for nRF24L01? I'm currently using hackrf one. Wondering if I need to buy extra hardware.

If you have physical access to the tx or rx then capture from the nRF24L01 SPI interface. Otherwise over-the-air is the only way I know.

Hi guys, I'm currently working on a school project that requires us to do a replay attack on CX-10A. Since I'm new to this field, I don't know how to find the controller's identifier(CID). And without CID, I can not find the correct frequency hopping channels.

Does anyone know if there is a easy way to find CID or capture the packet? It is too hard to decode the signal from IQ values.

I can, yes. I'm working til late every day but I'll try to do it as soon as possible. In the meantime, the CX-10D came and it has an XL297 but not the L version. (both the quad and the tx)Do you think if it will still work? I couldn't find the proper datasheets for them, so I can not compare the registers. Should I try to replace it?

Thanks! I've ordered one of those as well. The CX-10 uses an all in one chip, they must have optimised the manufacturing costs with that. I've also ordered a CX-10D and an x-lite radio with the mpm module so I should be able to test if the protocol works once its implemented. Now I just need to wait for the stuff to arrive.

This little accident really bugs me(pun intended), so I decided to get a cx-10 from amazon, its around 15 bucks and should arrive on friday. I just hope that it has the right chip. If not, its just gonna be for my girlfriend lol.

Hi Folks,

has anyone got a Model-Ini for the TR-G1 Ghost Drone?



I tried Bayang and CX-10 / H8 Protocols but this won't bind. I opened the TX and saw that there is a "wj-297 l-rf" module in it.

Ten eerste zou ik de vraag in het Engels stellen, maar je hebt geluk

Soms is het even uitvogelen welk protocol je moet gebruiken, de Cheerson CX-10 die ik had bleek uiteindelijk een FQ-xxx.

Als je in de buurt van Groningen woont kan ik je wel wegwijs maken met de transmitter.

I`ve just tried to binf my CX-10D with Devo 7E using the protocol Q303 with both CX10 and CX10W variants with no success. I`ve used nightly build cc06d0 firmware instead the test builds avaiable in this thread.

The quad`s lights remains blinking quickly meaning no binding. Is there some bind procedure diferent to do that rather than just switch on the model and then pressing the button "bind" on transmitter?

Or Should I prefer try the test build avaiable in this thread instead the newer nightly build?

I have installed the 4in1 as per instructions but when it boots up it says missing modules cyrf6936. I tried binding to a CX-10 but all models seem to have an asterisk in front of them.

Here is my hardware.ini

I need some help here. I'm trying to bind to a CX-10 as a test and it's showing an asterisk in front of the model name. Also says missing modules cyrf6936 at bootup.